Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email

from the grab-some-popcorn dept

Everyone does it at some point: you send an email to the wrong person. Hopefully the content isn't that bad or important -- but it happens. However, when a Wyoming bank, Rocky Mountain Bank, accidentally sent confidential and sensitive information to the wrong Gmail account, the bank ended up taking Google to court to find out the identity of the individual. The bank had tried emailing the wrong address again, but got no response. Google, naturally, refused to just give up the name of the person without a court order -- so the bank went to court. It also tried to have the case sealed, but the judge has rejected that idea. You can certainly understand the bank's concern here, but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bank, email, identity, privacy, security
Companies: google, rocky mountain bank


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    ChurchHatesTucker (profile), 23 Sep 2009 @ 5:08pm

    WTF?

    This makes no sense. What's the blogger going to do? Send the original bits back? They've got to fix this frak-up on their end regardless.

    Also, let's say that there was a blogger who was critical of a corporation. Could they just 'accidently' send a sensitive email and then demand his identity?

    link to this | view in thread ]

  2. icon
    GJ (profile), 23 Sep 2009 @ 5:08pm

    it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.

    Ok, serious question for you Mike: How else would they find out who received the email?

    Google, rightfully so, doesn't want to give the info without a court order, and the bank, rightfully so, has to cover its ass(ets) and get the information.

    What other course of action does the bank have?

    This, for once, seems like a legit (pardon the pun) reason for using the court system.

    --GJ--

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 23 Sep 2009 @ 5:31pm

    Those bastards not only stole the identity of the intended recipient, they got his email as well!!

    link to this | view in thread ]

  4. identicon
    ..., 23 Sep 2009 @ 5:32pm

    Re:

    "the bank, rightfully so, has to cover its ass(ets) and get the information."

    Once they have the identity, then what, the bank still has to fix the problem. Possibly the bank is hoping the recipent did not read the email and then they do not have to do anything, is it possible to demonstrate whether an email was read or not ?

    link to this | view in thread ]

  5. icon
    DJ (profile), 23 Sep 2009 @ 5:50pm

    Tricare dealt with this

    A few years back (can't remember actually when) Tricare had a bunch of medical records of military personnel stolen. At first, that was the absolute extent of their knowledge. So what did they do? They sent out official notices to anyone whose records were stored at that facility basically saying "Your records MIGHT have been compromised. Keep an eye on your shit."
    So to cover their asses, RMB just had to notify the originally intended recipient; possibly offer some sort of ID theft recovery as well. There. End of story. No lawsuits are needed.
    "But DJ, that would require the bank to admit guilt!"
    Uhh..yeah. And?

    link to this | view in thread ]

  6. icon
    zcat (profile), 23 Sep 2009 @ 6:08pm

    --
    Disclaimer:
    By sending an email to any of my addresses you are agreeing that:
    1. I am by definition, "the intended recipient"
    2. All information in the email is mine to do with as I see fit and
    make such financial profit, political mileage, or good joke as it
    lends itself to.
    3. I may take the contents as representing the views of your company.
    4. This overrides any disclaimer or statement of confidentiality
    that may be included on your message.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 23 Sep 2009 @ 6:13pm

    Re:

    I need to add that as my signature to all my emails.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 23 Sep 2009 @ 7:43pm

    "but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email."

    If I make a mistake someone else has to pay. That pretty much sums up the American legal system in a nutshell.

    link to this | view in thread ]

  9. icon
    DavisPrime (profile), 23 Sep 2009 @ 7:45pm

    Chances are the person that received it thought it was just phishing emails and deleted both emails without much thought.

    link to this | view in thread ]

  10. identicon
    Jason, 23 Sep 2009 @ 7:57pm

    my question is why was the bank having this data in plain english upon an employees computer in the first place, isn't there a data protection plan for their customers that doesn't include distributing files throughout the office with customers social security numbers plainly available?

    link to this | view in thread ]

  11. identicon
    Lordmorgul, 23 Sep 2009 @ 8:37pm

    Re:

    The bank has no right to know who they sent that email to, but they have a responsibiliy to fix any losses incurred due to their own failures. Even if that information has 'seemingly' been used in identity theft the bank cannot prove it was due to this email, and if not then they have no rights to the email recipients information.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 23 Sep 2009 @ 8:37pm

    Re:

    Or he never saw the emails because it got redirected into the spam folder.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 23 Sep 2009 @ 8:50pm

    Re: Re:

    Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed "full speed ahead" without worry.

    See: Uniform Trade Secrets Act, Secion 1, Clause 2.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 23 Sep 2009 @ 8:56pm

    Re:

    You know the bank isn't suing Google for monetary damages right?

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 23 Sep 2009 @ 9:03pm

    What if the bank had sent printed documents to the wrong recipient using the postal system, say, to the wrong PO Box (otherwise it'd be pretty obvious where to find the recipient)?

    link to this | view in thread ]

  16. icon
    ChurchHatesTucker (profile), 23 Sep 2009 @ 9:17pm

    Re: Re: Re:

    "Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed "full speed ahead" without worry. "

    Forgetting for a moment that those are stupid laws (that fly in the face of the whole concept of the patent process) which are dubious at best in this case, IT DOES NOT MATTER whom the bank sent the info to, and EVEN LESS what may be lawfully done with it. . They have to assume it's already compromised. I shudder to think that they're hoping to somehow get the email back.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 23 Sep 2009 @ 10:12pm

    Re: Re:

    Never said they were. Stop putting words in my mouth.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 23 Sep 2009 @ 10:12pm

    Re: Re:

    Never said they were. Stop putting words in my mouth.

    link to this | view in thread ]

  19. icon
    G Thompson (profile), 23 Sep 2009 @ 10:46pm

    Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA.

    Though its more likely they are than not, there is still the chance that they are not a US citizen and therefore not beholden to the Uniform Trade Secrets Act.

    Not only that but if they are a citizen of the EU or AU/NZ then Privacy laws are absolute and the bank has no actionable way to even do anything to the individual who could for example place the whole email onto Wikileaks.

    The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have. The customers themselves have cause though to make a claim for negligence on the bank. That is most likely the real reason why the bank wanted the records sealed.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 23 Sep 2009 @ 10:55pm

    Re:

    "The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have."

    I completely agree, but again, in America if I make a mistake someone else has to pay. That's the mentality that our legal system has encouraged and that's why all these entities hold such a mentality.

    link to this | view in thread ]

  21. identicon
    well, 24 Sep 2009 @ 3:36am

    Whoever got it could embarrass the bank by simply posting something like:

    OK you want my identity...here it is..and to prove this isn't just a joke...here's the entire email posted in plain text!

    If I was the bank, I'd have sort of fessed up...asked google to contact the recipient without telling me who they were and then offered some sort of "reward" for the person contacting the bank to help them sort the problem out.

    Obviously whatever has been lost goes way beyond a few bank account numbers or SN's, because the banks losing this type of stuff has become a regular running weekly joke (and they simply don't seem to care if its 1 account lost or 1,000,000), so I'm guessing its either a celebrities embarassing credit card statement or belongs to someone with real power that can do the bank A LOT of harm.
    Or possibly something to do with the stealing money from the recent bailout (but banks would never do that sort of thing surely? ) :)

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 24 Sep 2009 @ 4:32am

    Every one assumes that this was an accident. What if it was not?

    What if the accident part is bank management discovering that the information was sent out and the rest is a cover up of a theft of sensitive information that can and will be used?

    link to this | view in thread ]

  23. identicon
    Michael, 24 Sep 2009 @ 5:03am

    Missing the point

    I think the bigger point is that someone (or everyone) at this bank thinks that emailing sensitive information is secure. Even if they were smart enough to type the correct email address, it seems like a massive security problem to be sending unencrypted sensitive information in an email.

    They have a much larger problem to worry about than finding the recipient of this information. They should be worrying about the hundreds of other emails full of sensitive information that could have been easily intercepted.

    link to this | view in thread ]

  24. identicon
    What?, 24 Sep 2009 @ 6:24am

    Re: Re: Re:

    AC1 -> "If I make a mistake someone else has to pay."
    AC2 -> "You know the bank isn't suing Google for monetary damages right?"
    AC1 -> "Never said they were. Stop putting words in my mouth."

    link to this | view in thread ]

  25. identicon
    ..., 24 Sep 2009 @ 6:28am

    Re:

    "Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA."

    Everyone?
    That is quite an assumption. It only takes one person who didn't think that in order to make the statement incorrect.

    btw, I did not assume it went to any particular country

    link to this | view in thread ]

  26. identicon
    Errrr, 24 Sep 2009 @ 6:30am

    Re: Re:

    "in America if I make a mistake someone else has to pay. "

    pay what? how much?
    I thought the case was not about money

    link to this | view in thread ]

  27. icon
    RoyalWitCheese (profile), 24 Sep 2009 @ 6:33am

    +1 for Google

    At least Google's stepping up to the plate for their users' privacy. Many companies would just hand over that info.

    BTW - This would make for a great phishing scam. Spam emails, then get the mail server host to release the names of all recipients.

    link to this | view in thread ]

  28. icon
    Josh in CharlotteNC (profile), 24 Sep 2009 @ 8:52am

    What then?

    Has anyone at the bank figured out what they're going to do if they actually do get the person's name?

    Knock on his door and force him to delete the email? Have the police follow him around to make sure he doesn't do anything with the info?

    Assuming of course there's anything more than an IP address of the login to that gmail account. When I signed up to gmail, the only thing I remember inputting was another email address in case I forgot my password.

    link to this | view in thread ]

  29. icon
    Overcast (profile), 24 Sep 2009 @ 9:51am

    That's what I was thinking Josh - even if this guy/girl replies and said 'sure, I deleted it' - how is there any real proof it was done?

    I guess the bank's gonna have to pony up for 'ID protection' or change account numbers, etc to attempt to reduce liability.

    If I would have gotten it, I really would just delete it - but who's to say what someone else might do if they get mine?

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 24 Sep 2009 @ 9:55am

    Re: Re: Re:

    Please understand the context of the conversation before you demonstrate your reading comprehension problems.

    Given the context, payment wasn't referring to paying money directly. It's referring to the privacy that the E - Mail address owner gives up as a result of the banks mistakes. Other people have to suffer (pay) for the mistakes that the bank makes. The COST of the banks mistakes is our privacy.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 24 Sep 2009 @ 10:00am

    Re: Re: Re: Re:

    The made the mistake, the bank should have to pay to rectify the problem and ensure the users privacy. Yes, that means the bank may have to do a little work and spend some time (time = money) but why waste everyone else's time (ie: Google's time, and time = money so Google is paying for the banks mistakes, and the time of the ISP's as well if Google has to give up a hostmask and the ISP must look up the name, the risk of both these entities being sued for giving up private information, and then the person with the E - Mail address suffers because his/her privacy is given away against his/her for a mistake the bank made, so s/he has to pay) for a mistake the bank made.

    Because in America if I make a mistake someone else has to pay. That's basically what the laws in this country encourage and so entities have acquired this mentality.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 24 Sep 2009 @ 10:07am

    Re: Re: Re: Re: Re:

    sp/The made the mistake/They made the mistake

    sp/against his/her for a mistake the bank made,/against his/her will for a mistake the bank made,

    link to this | view in thread ]

  33. identicon
    Yakko Warner, 24 Sep 2009 @ 10:09am

    Re: WTF?

    I saw something like that in the signature of some corporate email where I contracted once. It said something to the effect of, "if you are not the intended recipient, you are required to return this email at once."

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 24 Sep 2009 @ 10:10am

    Re: Re: Re: Re:

    Ok, let me help correct your reading comprehension problem.

    Pay can have more than one meaning.

    "11. to suffer in retribution; undergo: You'll pay the penalty for your stubbornness! "

    http://dictionary.reference.com/browse/pay?r=75

    Given the context that should have been the meaning you chose.
    There, I hope this helps you in the future, now go forth and read with better reading comprehension.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 24 Sep 2009 @ 10:15am

    Re: Re: Re: Re: Re:

    Another example

    "17. to suffer or be punished for something: The murderer paid with his life. "

    http://dictionary.reference.com/browse/pay?r=75

    There, are you happy? Do you not know that words can have more than one meaning in English. I know this is true in other language too, so I won't buy the excuse that English is your third language either. In many languages one has to interpret the meaning of certain words based on the context. What, are you really that illiterate or something?

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 24 Sep 2009 @ 10:49am

    Re: Re: Re: Re:

    If you really are struggling to understand the meaning of words based on context there are many colleges and universities that offer English courses. I suggest you enroll. I'll even help you, give me your approximate location and I'll find the nearest one for you via goolge maps.

    link to this | view in thread ]

  37. identicon
    Lonzo, 24 Sep 2009 @ 10:51am

    Very questionable

    It goes without saying that they can never get this information "back". I'm very concerned about their methods, and hope this is not SOP throughout the US banking system, because they cannot possibly rectify the situation by contacting this individual; in fact, he next "logical" step along the path they appear to be pursuing is to lock the recipient of the message in a cage, which, I would dearly hope is legally impossible. This bank should have never even attempted to contact Google, much less have them ordered to disclose private information-- a fact that should be recognized by any sane judge. They should have simply fessed up (even made up some kind of story), contacted their customers and changed their ABA#s, Acct#s and whatever info they could-- SSNs are fairly easy to compromise anyway, from what I understand, so it's safe to assume one could find that info elsewhere. As it stands, the recipient of that mail has been compromised every bit as much as the customers whose account information has been fumbled. He will be open to unwanted and undeserved scrutiny by government agencies when he should not even have to bother with this situation. Any information he might have should have been rendered useless by now.

    link to this | view in thread ]

  38. identicon
    ImTheOne, 24 Sep 2009 @ 11:15am

    pls give out my ID...

    Google, pls give the bank my name and address. And tell the bank it will cost them $1m if they don't want me to forward the email to the world. ha ha

    link to this | view in thread ]

  39. icon
    Fred McTaker (profile), 24 Sep 2009 @ 11:25am

    Re:

    For future reference, this legal notice trumps everyone else's legal footers:

    By sending an email to any of my addresses, or any lists that I am subscribed to, you are agreeing that:

    1. I am by definition, "the intended recipient"
    2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it ruthlessly.
    3. I may take the contents as representing the views of your company.
    4. This overrides any disclaimer or statement of confidentiality that may be included on your message.
    5. Even if you only see this legal notice once, it still applies to all our communications.
    6. Unless the email is both signed and encrypted via PGP, with public/private key pairs that can only be attributed to two distinct owners, the real sender and recipient can never be determined with any certainty. All legal representations about any plain-text email are
    thus null and void, including this one.
    7. All hate mail will automatically be forwarded to please.arrest.me@fbi.gov

    Loosely derived from:
    http://discuss.joelonsoftware.com/default.asp?biz.5.588844.18


    To all Banks, everywhere: if the message isn't PGP encrypted using the intended recipients' Public Key(s), you can't be sure they will be the only readers. EMAIL IS NOT A MEDIUM FOR SENSITIVE INFORMATION, EVER. Email a link to an HTTPS/SSL encrypted site, and require secure authentication. You can't fix a breach afterwards, especially if you committed the breach.

    link to this | view in thread ]

  40. identicon
    hegemon13, 24 Sep 2009 @ 12:17pm

    Re:

    Or it was, like the vast majority of email accounts, an unused, abandoned, or "junk" mail account.

    link to this | view in thread ]

  41. identicon
    again, more errrr., 24 Sep 2009 @ 12:28pm

    Re: Re: Re: Re: Re:

    Who's getting paid now? Yoose guys keep confusing me. errrr.

    link to this | view in thread ]

  42. identicon
    bluecraze378, 24 Sep 2009 @ 4:12pm

    I hate to say it but...

    For once, Google should be defended for their actions in this case. Clearly, the bank screwed up and should have to come up with good cause before hauling Google into court to get the information.

    Email companies should be fighting to protect the privacy of their customers, not revealing it at the drop of a hat. Sure, maybe if there were legal cause I could maybe see it in some very rare cases, but generally speaking, when people want private email communications they should be guaranteed the privacy they were promised by the email service so they don't have their account compromised by advertisers, hackers, identity thieves or by the government or courts snooping in on one's private conversations and data.

    Although, the concept that Gmail could be considered a "private email" service is kind of a ridiculous thought to begin with. They regularly harvest users' information for advertising and don't provide much of a defense from spam, scams, and identity thieves.

    I use PrivacyHarbor.com to avoid these sorts of issues all together. They don't share your private information with anyone and don't mine your data for advertising. I also never get spam or people phishing to get my private data. It's a great service compared to what Gmail has to offer.

    link to this | view in thread ]

  43. identicon
    Ben Zayb, 24 Sep 2009 @ 4:15pm

    Re: Re: Re: Re: Re:

    Better yet, somebody should just draw the guy a picture!

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 24 Sep 2009 @ 6:52pm

    Re: Re: Re: Re:

    " I shudder to think that they're hoping to somehow get the email back."

    Sure, that's what the second email was asking for... "We accidentally emailed you a file intended for someone else. Would you please be kind enough to email it back to us so we can send it to the correct person?"

    link to this | view in thread ]

  45. icon
    another mike (profile), 25 Sep 2009 @ 12:27pm

    Re:

    This is going to be my e-mail server's new TOS.

    link to this | view in thread ]

  46. icon
    another mike (profile), 25 Sep 2009 @ 12:35pm

    reply all

    Why couldn't that employee just send a suggestive email to a female employee after clicking "Reply All" like a normal person. All this trouble about tracking down where you leaked your data.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.